b"MEMORANDUM\n\n                                                                      September 30, 2005\n\n\nTo:        Corey Booth\n           Kenneth Fogash\nFrom:      Walter Stachnik     4.}\nRe:        Security Certification and Accreditation of EFOIA (Audit No. 410)\n\n\nAttached is the public audit report (No. 410) of the EFOIA certification and accreditation.\nThe review was performed by ECS under a contract with our Office. The non-public\ntechnical report will be sent separately by email. The detailed recommendations from\nthe non-public technical report will be tracked in the Audit Recommendation Tracking\nSystem.\nWe would appreciate receiving any additional comments you have concerning this audit\nand the report. In particular, we would like to know whether you found the audit useful.\nWe also welcome any suggestions from you concerning how we could improve future\naudits.\nThe courtesy and cooperation of you and your staff during this audit are appreciated.\n\nAttachment\ncc:     Chrisan Herrod\n        Peter Uhlmann\n        Barbara Stance\n        James McConnell\n        Dan Lisewski\n        Darlene Pryor\n        Richard Hillman\n        Celia Winter\n\x0c             Security Certification and\n              Accreditation of EFOIA\n\n\n                         EXECUTIVE SUMMARY\n An Office of Inspector General (OIG) contractor (ECS) evaluated the EFOIA\n application as part of the OIG's fiscal year 2005 review under the Federal\n Information Security Management Act (FISMA). EFOIA was chosen for review\n because it had been certified and accredited (C&A) this year.\n ECS briefed Commission management on its detailed findings and\n recommendations. The review found several risk areas in EFOIA, including the\n process for performing the certification and accreditation, contingency testing and\n training, and server room controls.\n Commission management promptly began to consider appropriate corrective\n measures as a result of the review.\n\n\n                      OBJECTIVES AND SCOPE\n Our objectives were to determine if the EFOIA application met the necessary\n security requirements prescribed by FISMA and described in Office of Management\n and Budget (OMB) and National Institute of Standards and Technology (NIST)\n standards .\n. During the review, the contractor interviewed Commission staff, reviewed relevant\n  documentation, and evaluated and observed physical controls. The contractor used\n  the information gathered to identify risk levels in EFOIA (i.e., high, medium, low)\n  for a number of information technology (IT) areas. The contractor then identified\n  possible solutions to eliminate or mitigate those risks.\n The audit was performed in accordance with generally accepted government\n auditing standards between July and September, 2005.\n\n\n\n\n Security Certification and Accreditation of EFOIA-Audit No. 410   September 30, 2005\n\x0c                                BACKGROUND\nEFOI is a major application used by the Office of Filing and Information Services\n(OFIS) to process Freedom of Information Act (FOIA) and Privacy Act (PA) requests\nfrom individuals and businesses. The application is actually a commercial-off-the-\nshelf (COTS) product called FOIAXpress developed by AINS, Inc. FOIAXpress is\nused by several federal agencies in addition to the Commission.\nEFOIA is a web-based application that electronically creates, stores, retrieves,\nredacts, and prints documents for delivery to FOIA requesters. It also keeps track\nof FOIA processing statistics and fees in addition to generating reports on the\nnumber, types, and nature of FOIA requests processed, as required by the\nDepartment of Justice. EFOIA is maintained by the Office of Information\nTechnology (OIT), and resides on an application server in the Commission's data\ncenter.\nAs the system owner, OFIS is responsible for following the IT management and\nsecurity policies issued by OIT, as well as related statutes and government-wide\nregulations. OIT provides software development, hardware, and technical\nassistance to OIEA to help it carry out its IT management functions. OFIS has also\ncontracted with AINS for application support in troubleshooting EFOIA problems.\nOIT coordinated and implemented the certification and accreditation of EFOIA\nduring fiscal year 2005 as required by OMB Circular A-130. Accreditation is the\nofficial management decision given by a senior agency official to authorize operation\nof an IT system. It involves explicitly accepting the risk to agency operations,\nassets, or individuals based on the implementation of an agreed-upon set of security\ncontrols.\nThe supporting evidence needed for security accreditation is developed through a\ndetailed security review of the IT system, referred to as security certification.\nCertification determines the extent to which controls are implemented correctly,\noperating as intended, and meet the system security requirements.\n\n\n                               AUDIT RESULTS\nWe found that security certification and accreditation at the Commission needs to\nbe improved and brought into compliance with OMB and NIST standards,\nparticularly regarding the independence of the certification agent. In addition, the\ncertification of EFOIA depended on the certification of the general infrastructure\nsupport system (GSS), which had not yet occurred.\nWe identified several deficiencies within the EFOIA application, including\ncontingency testing and training, and security room controls. The contractor\nprepared a detailed report containing its findings and recommendations. Because of\nthe sensitivity of the detailed report, we have decided to issue this public report\nsummarizing the results of our review.\n\n\n\n\nSecurity Certification and Accreditation ofEFOIA-Audit No. 410       September 30, 2005\n\x0c"